You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
setting the --insecure-skip-tls-verify option seems to both disable TLS verification in the HTTP client doing the upload, but allso sets the Registry.insecure flag internally, which according to my understanding of its source code forces the scheme to plain http, rendering the former option superfluous.
Worse, I originally set the flag above when testing against an internal HTTPS-only registry with an internal CA, i.e. HTTPS is required, but the registry's certificate is unknown, but the flag resulted in the executor forcing plain HTTP.
I therefore find that the flag in its current form is confusingly named and eithe name or function should be altered.
One solution, which I've already implemented, would be splitting the flag into two distinct flags. One for allowing plain HTTP registries and one for skipping certificate verification. As this would change existing command line flags there is probably some additional pondering to do on this one.
Another way would be to try HTTPS with certificate verification disabled and falling back to HTTP if the connection attempt fails, but this seems more complicated and error-prone to me.
The text was updated successfully, but these errors were encountered:
Hi everybody,
setting the
--insecure-skip-tls-verify
option seems to both disable TLS verification in the HTTP client doing the upload, but allso sets the Registry.insecure flag internally, which according to my understanding of its source code forces the scheme to plain http, rendering the former option superfluous.Worse, I originally set the flag above when testing against an internal HTTPS-only registry with an internal CA, i.e. HTTPS is required, but the registry's certificate is unknown, but the flag resulted in the executor forcing plain HTTP.
I therefore find that the flag in its current form is confusingly named and eithe name or function should be altered.
One solution, which I've already implemented, would be splitting the flag into two distinct flags. One for allowing plain HTTP registries and one for skipping certificate verification. As this would change existing command line flags there is probably some additional pondering to do on this one.
Another way would be to try HTTPS with certificate verification disabled and falling back to HTTP if the connection attempt fails, but this seems more complicated and error-prone to me.
The text was updated successfully, but these errors were encountered: